This paper is an idea that spawned from a talk I gave in 2023 at MSSN CTRL entitled “Breathing New Life into the Cybersecurity Kill Chain: Transforming Theory into Action.” Before my talk, the Branch Chief of the Cybersecurity and Infrastructure Security Agency (CISA) Incident Response and Hunt Team, Joshua Finney, gave a presentation on thinking in graphs (he sadly had to leave before my presentation). One of the questions I received during my talk stemmed from his presentation, “Attackers Think in Graphs; Why Can’t We?” The question was, “Does the Investigator’s Mental Model help you think in graphs?” It was something I hadn’t pondered myself, but after some reflection post-conference, I realized that it did.

That question led me to put more effort into fleshing out the framework I had developed. This is the origin of the framework we’ll be discussing throughout this paper.

The Cybersecurity Kill Chain is a widely taught framework in the field. Early in my career, I didn’t realize it could be used as a practical investigative aid for defenders, not just as an academic concept. I believe this is partly because it’s written from an attacker’s perspective, which doesn’t always translate well for defense. Additionally, its vague language makes it awkward to apply, as not every phase is relevant to many attacks, often going beyond edge cases and resulting in frequent overlaps.

Moreover, the military jargon often used in the private sector can feel out of place. In my opinion, a critical flaw at the core of the Cybersecurity Kill Chain is that it promotes linear thinking instead of encouraging thinking in graphs. As John Lambert from Microsoft highlights, defenders often think in lists while attackers think in graphs. This discrepancy gives attackers an advantage, as they navigate the network through its interconnected security dependencies.

With these challenges in mind, I wanted to take another look at the Cybersecurity Kill Chain and see if it could be modernized and reworked into somethat that is more useful for modern investigations and is easier to apply as a junior analyst.

NOTE: This blog assumes you’re already familiar with the Kill Chain framework. If not, I recommend reviewing it first here.

Introducing G.I.F.T.: The Graph-based Investigative Framework for Threats

G.I.F.T., or the Graph-based Investigative Framework for Threats, is my answer to these shortcomings. G.I.F.T. consists of eight phases compared to the Cybersecurity Kill Chain’s seven. It should be thought of in two ways: circular at the tactical level (during the investigation) and linear at the operational and strategic level, integrating the values of each rotation of the G.I.F.T. framework into one linear sequence when viewing the investigation in retrospect.

Graph-based Investigative Framework for Threats

G.I.F.T. Phases

While the phases remain largely unchanged, the new language is tremendously helpful for defenders. This concept aligns with the Sapir-Whorf Hypothesis, which suggests that the structure of a language influences its speakers’ worldview and cognition. According to Wikipedia:

The Sapir–Whorf hypothesis, or Whorfianism, is a principle suggesting that the structure of a language influences its speakers’ worldview or cognition, and thus individuals’ languages determine or influence their perceptions of the world.

As defenders, we should leverage this concept. The phase names now emphasize language that encourages a more investigative mindset, rather than an attacker’s mindset.

Keep in mind, while the language update is significant, the most impactful part of this framework is the circular graph thinking it encourages, rather than linear thinking.

1. Discovery

This replaces the Recon phase of the Cybersecurity Kill Chain. The Discovery phase reinforces defensive-minded thinking. As a defender, I know an attacker will likely perform some level of discovery on my organization, attempting to find information that can be leveraged to target us.

2. Preparation

This replaces the Weaponization phase of the Cybersecurity Kill Chain. As a defender, I know an attacker will prepare their attack using the information they discovered about my organization.

3. Delivery

This phase remains largely unchanged. As a defender, I know an attacker will need to deliver a payload that was prepared specifically for our organization.

4. Vulnerability Assessment

This is the first major change of the framework, replacing the Exploitation phase. As a defender, I need to assess which vulnerability was exploited within my network and resolve it.

The reason I believe this is the first major change of the framework is due to the fact that when I was first starting out, I always hated the “exploit” phase. I thought, “How am I supposed to figure out what exploit was used? There are thousands, and I can’t be familiar with every application!” It seemed impossible to identify this phase without spending an overwhelming amount of time, which wouldn’t be worth the effort for most organizations.

It wasn’t until a mentor helped me reframe this phase in my mind that it “clicked.” He told me to think of it as a defender: assess the vulnerabilities on the impacted system (using your vulnerability scanning tools) and compare them to what software was identified in the attack. Look for overlap. Rethinking the concept this way made what once seemed impossible for an average analyst much more manageable.

NOTE: The term vulnerability is often confused with something that has been assigned a CVE. However, vulnerabilities can also include instances such as an application not having 2FA enabled or social engineering exploiting inherent social vulnerabilities.

5. Action Execution

This is the second major change of the framework, replacing the Installation phase and breaking it out into two separate phases: Action Execution and Persistence. As a defender, I know an attacker will need to execute some sort of action for an attack to take place.

This action could be the execution of malware on an end system or logging into a system that doesn’t have 2FA enabled where the credentials have been used.

One of the biggest challenges for new analysts I’ve taught and mentored is the concept of an “Installation” phase. What does that even mean? There is significant overlap between the Exploitation and Installation phases due to this vagueness. Additionally, with modern SaaS applications like O365 or cloud applications, there may be no end system where something can be “installed” in the traditional sense, making it awkward to apply.

6. Persistence

The third major change of the framework, and the second part of what once was the Installation phase. As a defender, I know that an attacker will look for some way to persist and maintain their access.

This could be something such as a malicious scheduled task or perhaps a backdoor account.

7. Interaction

This phase is largely unchanged from the Command and Control phase and replaces it. It is primarily again using language to make applying the framework much easier for modern attacks. As a defender, I know an attacker will need to interact with the end malware for follow-on activity or perhaps will need to log in to and interact with an O365 account.

8. End Goal

Largely unchanged from the Action on Objectives phase and replaces it. As a defender, I know an attacker has an end goal with their attack, such as deploying ransomware, intelligence gathering, or maybe even just “the lulz.”

Thinking in Graphs - What Does it Mean?

Thinking in graphs means visualizing and understanding relationships and connections between different entities within a network. Instead of viewing security incidents as isolated events, graph thinking encourages seeing the interconnected nature of systems, vulnerabilities, and threats. This approach allows defenders to identify potential attack paths, understand how an attacker might move laterally through a network, and recognize critical points of failure. By mapping out these connections, defenders can develop more robust and comprehensive defense strategies that are adaptive and resilient to complex, multi-faceted attacks.

Graph Thinking Image

Graph Thinking in Practice: Approaching Attacks as a Circle Tactically

The Cybersecurity Kill Chain typically promotes viewing an attack from start to finish in a linear fashion, which discourages thinking of an attack as a graph. This linear limitation can also make it awkward to apply in certain investigative scenarios. When you start thinking of attacks as a non-ending circular process, an attack chain makes much more sense, and you’ll understand why John Lambert’s post about thinking in graphs is such a masterpiece. By extension, you will naturally start thinking in graphs.

In a real attack chain, an attacker will typically make multiple rotations of the G.I.F.T. Framework, and each full rotation can be thought of as a “node” that is connected to the prior rotation. For example, a hypothetical ransomware actor’s first real End Goal is gaining access to a victim network, even if it means landing malware on a single system out of thousands.

  1. First Rotation: Gaining initial malware execution on a system or systems.

    • Discovery: An adversary conducts discovery against a potential victim organization to find ways to gain initial access.
    • Preparation: An adversary uses the information discovered to prepare an exploit.
    • Delivery: An adversary delivers the exploit to the end system.
    • Vulnerability Assessment: I need to assess the vulnerabilities on the system to identify what was exploited.
    • Action Execution: An adversary executes an action on the intended system, such as executing malware.
    • Persistence: An adversary wants to maintain access once they achieve it.
    • Interaction: An adversary needs a way to interact with the end system or malware.
    • End Goal: An adversary aims to gain access to my network.

  2. Second Rotation: Moving laterally to another system.

    • Discovery: An adversary will perform discovery to move laterally within the network, such as network scanning to find a vulnerability or weakness.
    • Preparation: An adversary prepares the exploit based on the discovered information for the next target system.
    • Delivery: An adversary delivers the exploit to the next target system.
    • Vulnerability Assessment: I need to assess the vulnerabilities on the next target system to identify what was exploited.
    • Action Execution: An adversary executes an action on the next target system, such as executing malware.
    • Persistence: An adversary wants to maintain access on the next target system once they achieve it.
    • Interaction: An adversary needs a way to interact with the end system or malware on the next target system.
    • End Goal: An adversary aims to move laterally in the network for increased persistence and impact.

  3. Third Rotation: Deploying ransomware within the network.

    • Discovery: An adversary performs discovery to identify high-value targets and systems within the network.
    • Preparation: An adversary prepares the ransomware payload based on the information discovered.
    • Delivery: An adversary delivers the ransomware payload to the identified target systems.
    • Vulnerability Assessment: I need to assess the vulnerabilities on the target systems to understand how the ransomware was deployed.
    • Action Execution: An adversary executes the ransomware on the target systems.
    • Persistence: An adversary ensures the ransomware can maintain its presence and continue its malicious activities.
    • Interaction: An adversary interacts with the compromised systems to manage and control the ransomware deployment.
    • End Goal: An adversary’s objective is to encrypt data, demand ransom, and maximize damage.

  4. Fourth Rotation: Continuing on as needed…

Tactical G.I.F.T. View

By thinking of attacks as continuous, interconnected cycles rather than linear steps, defenders can better anticipate and respond to adversaries’ movements, making the defense strategy more robust and adaptive.

Strategic Use of the G.I.F.T. Framework

Although I’ve criticized viewing an attack linearly, it’s crucial to review the attack as a whole once the investigation is complete. This involves overlaying each value of each node onto one linear G.I.F.T. Framework as part of your lessons learned.

This practice, typically done for operational and strategic impact after an incident, allows you to see the attack at a high level and categorize behaviors at each phase. It can significantly benefit a security program by providing metrics that justify budget increases for SOC managers or by giving detection engineers a complete attack chain. This detailed breakdown helps identify which detections can be built and deployed, and where.

Strategic G.I.F.T. View

Operationalizing the G.I.F.T. Framework

A framework is useless if it can’t be operationalized in the real world. Here are some high-level ways the G.I.F.T. Framework can be applied practically.

Security Operations Center (SOC) Managers

Aligning to a framework like G.I.F.T. encourages graph thinking and provides granular data for both upward and downward reporting. For example, if you consistently struggle to identify a specific phase of the G.I.F.T. Framework, this lack of visibility can be tracked and used to justify budget increases to improve your monitoring capabilities.

You can also review historical data to identify common patterns where analysts may struggle. If you have the necessary tools and visibility but see consistent difficulties in a particular phase, this could indicate a need for additional training.

Detection Engineering

For detection engineers, receiving a comprehensive list of behaviors for each phase of the G.I.F.T. Framework provides a holistic view of an attack from start to finish. This approach offers a full range of potential detection opportunities rather than focusing on isolated techniques.

Similar to SOC Managers, detection engineers can benefit from identifying repeated areas of poor visibility. This insight can highlight the need for research into visibility issues or ways to improve detection capabilities in those areas.

SOC Analysts

The G.I.F.T. Framework helps SOC analysts start thinking of attacks in terms of graphs. This perspective is invaluable for understanding how an attacker may move through the network and what areas need to be checked for potential breaches. It encourages a more dynamic and interconnected approach to threat analysis.

G.I.F.T. Wrapping it Up

The G.I.F.T. Framework offers a modern and practical approach to cybersecurity, addressing the limitations of the traditional Cybersecurity Kill Chain. By encouraging thinking in graphs and providing a detailed, phased approach to both tactical and strategic analysis, G.I.F.T. enhances the ability of SOC managers, detection engineers, and analysts to understand, anticipate, and respond to cyber threats more effectively.

Incorporating the GIFT Framework into your security practices can lead to improved visibility, better resource allocation, and more effective training and detection strategies. While the MITRE ATT&CK Framework remains a valuable tool for many organizations, it can be complex and overwhelming for smaller, less mature teams. Similarly, the Cybersecurity Kill Chain, though simpler, often promotes linear thinking which may not capture the full scope of modern attacks. In contrast, GIFT provides a more accessible, manageable, and holistic alternative that encourages graph thinking and addresses the limitations of both frameworks.

As the cybersecurity landscape continues to evolve, adopting frameworks like G.I.F.T. that promote continuous, interconnected analysis will be crucial for staying ahead of adversaries. Embrace the shift from linear to graph thinking and empower your security team with the tools and mindset needed to defend against today’s complex cyber threats.